[Samba] Issues demoting a samba DC.

Michael Tokarev mjt at tls.msk.ru
Sun Jan 8 11:04:29 UTC 2023


I'm trying to remove a DC from our samba domain (samba 4.17.4).
It was the primary controller (with FSMO roles), - I successfully
transferred the roles to another DC.  Now it's time to demote:

ai# samba-tool domain demote -U mjt-adm
Using svdcp.tls.msk.ru as partner server for the demotion
Password for [TLS\mjt-adm]:
Deactivating inbound replication
Asking partner server svdcp.tls.msk.ru to synchronize from us
Changing userControl and container
Error while demoting, re-enabling inbound replication
ERROR(ldb): Error while renaming CN=AI,OU=Domain Controllers,DC=tls,DC=msk,DC=ru to CN=AI,CN=Computers,DC=tls,DC=msk,DC=ru - LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <acl:access_denied renaming CN=AI,OU=Domain Controllers,DC=tls,DC=msk,DC=ru> <>

mjt-adm is a user with admin rights (domain admins group) in the dc.
It is interesting I can not use Administrator account for this,
it asks for the password twice, and refuses to work saying
login is incorrect, even if the same password works for

Now, after the first attempt to demote, some things doesn't work
right, eg:

ai# samba-tool drs showrepl
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (8453, 'WERR_DS_DRA_ACCESS_DENIED')

(it definitely worked at least before the FSMO roles transfer).

Should I force-remove it from another DC?



More information about the samba mailing list